University notifying nearly 49,000 about information hack, but students face no financial threat

Iowa State University this week is reaching out to nearly 49,000 current and former students after discovering a breach of five departmental servers that exposed their Social Security numbers or university identification numbers.

An analysis of the breach has revealed the compromised servers contained Social Security numbers belonging to 29,780 students enrolled at Iowa State between 1995 and 2012. ISU officials also are contacting 18,949 students whose university ID numbers were located on the compromised servers.

No student financial information was stored on the servers. And, so far, the university has no evidence that any of the exposed data files were accessed. University ID numbers typically are used in combination with a password, and officials say they have no use beyond the campus.

Exposure of those numbers poses no financial threat, according to Senior Vice President and Provost Jonathan Wickert.

The person or people who hacked the servers apparently intended to “generate enough computing power to create bitcoins,” according to an ISU news release. Bitcoins are a form of digital money that can be used to buy merchandise anonymously, according to ISU officials.

ISU has contacted law enforcement about the breach, but authorities have not identified a suspect at this time. Because there is “no evidence of the information being used, it is unclear whether we will ever be able to find those responsible or be able to charge them with the crime,” said Annette Hacker, director of ISU News Service.

The university on Tuesday mailed letters to everyone whose Social Security numbers were compromised and to those students who had ID numbers on compromised servers, Hacker said.

Out of “an abundance of caution,” ISU has decommissioned, removed from the Internet and destroyed compromised servers. Other servers that are similar no longer can be accessed online, have been updated to prevent hacking and soon will be replaced, according to ISU officials.

The university also is accelerating implementation of its new “data collection policy,” which provides for enhanced security standards and guidance.

The five servers that were compromised are “network-attached storage devices” made by Synology, which has reported similar attacks involving other users. After thoroughly examining all the information on the comprised servers, ISU has deleted any files containing personal information.

Going forward, ISU’s information technology team is working to improve security on mobile computers, and it will begin a process to improve network security through stronger password standards, according to ISU officials.

The university now deploys software that regularly scans computers, servers and other devices to locate protected information, and provost Wickert said ISU is taking “every possible action to safeguard the personal information of those who learn and work here.”

“We have well-regarded cyber defense experts here who not only protect university data, but educate others on how to prevent computer attacks,” he said in a news release. “Unfortunately, Iowa State is not immune to hacking, but we are disappointed and sorry for the inconvenience this incident may cause.”

Wickert said ISU experts don’t believe student personal information as the target of the recent attack even though it was exposed.

ISU has hired AllClear, a national firm specializing in identity protection, to help students affected by the breach. Representatives are available at 877-403-0281.

The university also will buy one year of credit monitoring for students whose Social Security numbers were exposed, according to a news release. And anyone interested can opt for a second free year of monitoring through AllClear.

Affected students include those who took a class in computer science from 1995 to 2005; world languages and cultures in 2004, 2007, 2011 and 2012; and one specific materials science and engineering class in fall 2001 and spring 2001.

ISU officials are warning students and alumni to be vigilant about information requests. Even though the university and its foundation and alumni associations regularly request information, no one will ask for Social Security numbers, officials said.

Anyone with questions can contact the ISU Foundation at 515-294-4607, the ISU Alumni Association at 515-294-6525, or Iowa State’s computer security team at serverbreach@iastate.edu.